163
CVEs
40
Critical
92
High
0
KEV
2
PoC
3
Unpatched C/H
97.5%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
40
HIGH
92
MEDIUM
30
LOW
1
Monthly CVE Trend
Affected Products (27)
Thunderbird
42
Open Redirect
9
Firefox
5
PHP
5
Cors Misconfiguration
4
Node.js
3
Python
2
Prototype Pollution
2
H300s Firmware
1
H410c Firmware
1
H410s Firmware
1
AI / ML
1
H700s Firmware
1
Jwt Attack
1
Kubernetes
1
Mail Server
1
Neqo
1
Open Xchange Appsuite Frontend
1
Safari
1
H500s Firmware
1
Anything Llm
1
Bootstrap Os
1
Chrome
1
Curl
1
Debian Linux
1
Dify
1
Docker
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-4689 | A sandbox escape vulnerability exists in Firefox's XPCOM component due to incorrect boundary conditions and integer overflow, allowing attackers to bypass security sandboxing mechanisms. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw to escape the browser sandbox and potentially execute arbitrary code with elevated privileges on the affected system. | CRITICAL | 10.0 | 0.0% | 70 |
PoC
|
| CVE-2026-4688 | Sandbox escape in Mozilla Firefox's Disability Access APIs component due to a use-after-free memory vulnerability allows unauthenticated remote attackers to execute arbitrary code with full system compromise. Firefox versions below 149 and Firefox ESR below 140.9 are affected, with no patch currently available. The vulnerability is exploitable over the network without user interaction, presenting critical risk to all affected users. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-4725 | Unauthenticated remote attackers can escape the Firefox sandbox through a use-after-free vulnerability in the Canvas2D graphics component, allowing arbitrary code execution on affected systems running Firefox versions prior to 149. The vulnerability requires no user interaction and impacts the entire system due to its critical severity and CVSS score of 10.0. No patch is currently available for this actively exploitable flaw. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-4692 | A sandbox escape vulnerability exists in Firefox's Responsive Design Mode component that allows attackers to break out of the browser's security sandbox and access sensitive information. This affects Firefox versions prior to 149, Firefox ESR prior to 115.34, and Firefox ESR prior to 140.9. An attacker can exploit this vulnerability to disclose information by circumventing the sandbox restrictions that normally isolate web content from the browser's privileged context. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-5731 | Remote code execution in Mozilla Firefox and Thunderbird via memory corruption vulnerabilities allows unauthenticated remote attackers to execute arbitrary code without user interaction. Affects Firefox <149.0.2, Firefox ESR <115.34.1, and Firefox ESR <140.9.1 across desktop platforms. With CVSS 9.8 (critical severity, network-accessible, no privileges required) and CWE-119 buffer overflow classification, this represents multiple memory safety bugs that Mozilla assessed could be exploited for arbitrary code execution. No public exploit identified at time of analysis; EPSS data not provided but critical browser vulnerabilities historically attract rapid exploitation interest. | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2026-6748 | Uninitialized memory access in Firefox's Web Codecs API enables remote code execution without authentication. Attackers can exploit this CWE-457 (Use of Uninitialized Variable) flaw through network-accessible vectors with low complexity (AV:N/AC:L/PR:N/UI:N) to achieve complete system compromise including data exfiltration, arbitrary code execution, and denial of service. CVSS 9.8 severity is supported by SSVC assessment indicating automatable exploitation with total technical impact. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10. CISA SSVC reports no active exploitation at time of analysis, though the vulnerability is classified as automatable with total technical impact. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-8956 | Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-5734 | Multiple memory corruption vulnerabilities in Mozilla Firefox (< 149.0.2) and Firefox ESR (< 140.9.1) enable unauthenticated remote code execution with critical CVSS 9.8 severity. These memory safety bugs-including CWE-787 out-of-bounds write issues-affect both standard and Extended Support Release channels, with Mozilla confirming evidence of memory corruption exploitable for arbitrary code execution. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, though CVSS vector indicates network-accessible attack requiring no user interaction. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-6771 | DOM security mitigation bypass in Mozilla Firefox allows remote unauthenticated attackers to completely compromise browser security, achieving high confidentiality, integrity, and availability impact. Affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. The vulnerability bypasses critical browser security controls designed to protect the Document Object Model. SSVC assessment indicates the flaw is automatable with total technical impact, though no active exploitation has been confirmed at time of analysis. CVSS 9.8 critical rating reflects network-based attack with no complexity barriers. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-5735 | Remote code execution in Mozilla Firefox versions prior to 149.0.2 stems from multiple memory safety bugs allowing unauthenticated network attackers to execute arbitrary code without user interaction. Mozilla confirmed memory corruption evidence across affected versions (Firefox 149.0.1 and Thunderbird 149.0.1), though Thunderbird patch status remains unconfirmed. CVSS 9.8 reflects maximum severity due to network-accessible attack vector with no complexity barriers. No public exploit identified at time of analysis, though the CWE-787 out-of-bounds write class has high weaponization potential once technical details emerge from linked Bugzilla entries. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-6768 | Authentication bypass in Firefox's cookie-handling mechanism allows remote unauthenticated attackers to bypass security controls via network requests, achieving full confidentiality, integrity, and availability compromise. Affects Firefox versions prior to 150. Mozilla has released patches in security advisories MFSA2026-30 and MFSA2026-33. CISA SSVC framework classifies this as fully automatable with total technical impact, though no active exploitation is confirmed at time of analysis. CVSS 9.8 critical severity reflects the network attack vector with no authentication or user interaction required. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4691 | Critical use-after-free in Mozilla Firefox's CSS parsing engine enables unauthenticated remote code execution with no user interaction required, affecting Firefox versions below 149, ESR 115.34, and ESR 140.9. An attacker can exploit this memory corruption vulnerability by crafting a malicious web page that triggers the vulnerability when rendered, achieving full system compromise. No patch is currently available. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4698 | A JIT miscompilation vulnerability exists in Firefox's JavaScript engine that can lead to information disclosure. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw through malicious JavaScript to extract sensitive information from the browser's memory, potentially compromising user data and system security. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4696 | Unauthenticated remote attackers can achieve arbitrary code execution through a use-after-free memory corruption vulnerability in Firefox's text and font rendering engine, affecting Firefox versions below 149, ESR below 115.34, and ESR below 140.9. The vulnerability requires no user interaction or special privileges and allows complete compromise of confidentiality, integrity, and availability. No patch is currently available. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4717 | Firefox's Netmonitor component contains a privilege escalation vulnerability that affects versions prior to 149 (ESR < 140.9), allowing unauthenticated attackers to gain elevated privileges through network-accessible attack vectors with no user interaction required. This critical flaw (CVSS 9.8) enables complete system compromise including confidentiality, integrity, and availability violations, with no patch currently available. | CRITICAL | 9.8 | 0.0% | 49 |
|